Azure Sentinel library modules

Submodules

msticnb.nblib.azsent.host module

host_network_summary notebooklet.

class msticnb.nblib.azsent.host.HostNameVerif(host_name, host_type, host_names)

Bases: tuple

Create new instance of HostNameVerif(host_name, host_type, host_names)

count()

Return number of occurrences of value.

host_name

Alias for field number 0

host_names

Alias for field number 2

host_type

Alias for field number 1

index()

Return first index of value.

Raises ValueError if the value is not present.

msticnb.nblib.azsent.host.get_aznet_topology

Get Azure Network topology information for host or IP address.

Parameters:
  • qry_prov (QueryProvider) – Query provider to use for queries
  • host_entity (Host) – Host entity to populate data with
  • host_name (str, optional) – Host name, by default None
  • host_ip (str, optional) – Host IP Address, by default None
msticnb.nblib.azsent.host.get_heartbeat

Get Heartbeat information for host or IP.

Parameters:
  • qry_prov (QueryProvider) – Query provider to use for queries
  • host_name (str, optional) – Host name, by default None
  • host_ip (str, optional) – Host IP Address, by default None
Returns:

Host entity
Return type:

Host
msticnb.nblib.azsent.host.populate_host_entity(heartbeat_df: pandas.core.frame.DataFrame = None, az_net_df: pandas.core.frame.DataFrame = None, vmcomputer_df: pandas.core.frame.DataFrame = None, host_entity: msticpy.datamodel.entities.host.Host = None, geo_lookup: Any = None) → msticpy.datamodel.entities.host.Host

Populate host with IP and other data.

Parameters:
  • heartbeat_df (pd.DataFrame) – Optional dataframe of heartbeat data for the host
  • az_net_df (pd.DataFrame) – Optional dataframe of Azure network data for the host
  • vmcomputer_df (pd.DataFrame) – Optional dataframe of VMComputer data for the host
  • host_entity (Host) – Host entity in which to populate data. By default, a new host entity will be created.
  • geo_lookup (Any) – GeoIP Provider to use, if needed.
Returns:

How with details of the IP data collected
Return type:

Host
msticnb.nblib.azsent.host.verify_host_name

Verify unique hostname by checking Win and Linux logs.

Parameters:
  • qry_prov (QueryProvider) – Kql query provider
  • timespan (TimeSpan) – Time span over which to query
  • host_name (str) – The full or partial hostname.
Returns:

Tuple[Optional[str], Optional[str], Optional[Dict[str, str]]] Named tuple HostNameVerif fields: host_name, host_type, host_names If unique hostname found, host_name is populated. If multiple matching hostnames found, host_names is populated and host_name is None. host_type is either Windows or Linux. If no matching host then all fields are None.
Return type:

HostNameVerif

msticnb.nblib.azsent.alert module

Alert utility functions.

msticnb.nblib.azsent.alert.browse_alerts(nb_result, alert_attr='related_alerts') → msticpy.nbtools.nbwidgets.select_alert.SelectAlert

Return alert browser/viewer.